Just as a quick note if i meet this situation again. During the creation of the exploits, and i want to put a shellcode and the space would not enough (e.g below 20 bytes), but there is still a space in front of the buffer (before address that overwrite SE handler) for example in seh based buffer overflow:
junk1= 'A'*500
junk2= 'A'*12
buffy= junk1 + nseh + seh + '\x90'*8 + junk2
So, we need to jump back at least before the shellcode, for example our shellcode are 200 bytes, the buffer will be
buffy = 'A'*300 + shellcode + nseh + seh + '\x90'*8 + junk2
we need to jump back at least 220 bytes, to land in junk1, so we need 'junk2' to make us Jump back. to do this we can use decrement CH register (1 = 256 bytes decrease from ECX), but before doing that after we doing POP, POP, RETN the pointer three places down in the stack, to get this memory address to ECX register, we need to do POP ECX, POP ECX, POP ECX, after that Jump to ECX and it will moves back 256 from the original POP, POP, RETN instructions land.
So, here what we are doing